IPv6 Tunnel Broker on GNU/Linux Routers

IPv6 connectivity is slowly spreading around the net day after day. Sooner or later you may want to get IPv6 connectivity to your home, as some providers already does with brave users.

If your ISP does not give you native IPv6 connectivity you can still get your own IPv6 access in a number of ways.

The easiest way to connect a single host to the new world is by using a Teredo tunnel. Most OS already have a client for that, including what matters to us.

Teredo tunnels are easy to setup and just works for a client, but if you want to play a bit with IPv6 routing and addressing, what you need is a tasty /64 IPv6 subnet just for you, and that’s achievable with a Tunnel Broker.

TBs are around from some years (maybe too many), and provides an easy way to assign you an IPv6 subnet and route that to your host with a simple IPv6-in-IPv4 encapsulation. Then, you can reassign the subnet addresses to the other hosts inside your network, and you’ll get completely bidirectional IPv6 visibility between your hosts and the world!

The TB provider I’m currently using is Hurricane Electric, if you register on their website, they’ll give you a /64 subnet routed to our IPv4 host for free. They’ll also give you some information on how to setup the network, but that’s the configuration scripts I use for my net.

Router Configuration

I called my configuration script for IPv6 rc.ipv6. What it needs to know are some data about your tunnel and your network, specifically:

  • LAN: your local network interface
  • TB: interface name for the tunnel broker
  • REMOTE_IPV4: IPv4 address of the other end of the tunnel
  • LOCAL_IPV6: your assigned IPv6, including mask bits
  • REMOTE_IPV6: the remote host IPv6 address
  • ROUTED_IPV6: our IPv6 routed subnet

These information can be found in the “Tunnel Details” page.

What the script does when started is the following:

Add the tunnel and bring the interface up:

ip tunnel add $TB mode sit remote $REMOTE_IPV4
ip link set $TB up

Assign our IPv6 address to our local interface (the one where other hosts will be reachable):

ip addr add $ROUTED_IPV6 dev $LAN

Configure routing for the remote host and default to the tunnel interface:

ip addr add $LOCAL_IPV6 dev $TB
ip route add $REMOTE_IPV6 dev $TB
ip route add ::/0 dev $TB

At this point, IPv6 traffic should be able to flow.

Handling Dynamic IP

The remote end of the tunnel requires to know the local IPv4 address, which means that its configuration have to be updated whenever your local IPv4 address changes.

Hurricane Electric provides an easy to use webpage just to do that from system scripts. That’s what I use in my ip-up PPP scripts:

MD5PASS=$( echo -n $PASS | md5sum | cut -d' ' -f1 )

wget -q -O- "http://ipv4.tunnelbroker.net/ipv4_end.php?ip=$IPV4ADDR&pass=$MD5PASS&apikey=$USERID&tid=$TUNNELID" | logger

Where PASS is your password, USERID can be found in the “Main Page”, and TUNNELID in the “Tunnel Details” page of the Hurricane Electric website.

If the script is working, when your PPP connection starts, you should see a message like this in the system logs:

Sep 25 13:24:27 balto-mpc logger: +OK: Tunnel endpoint
    updated to: XXX.XXX.XXX.XXX

Host Addressing (radvd)

Now that the router is configured, what you need to give IPv6 connectivity to the other hosts of your network is just activate IPv6 forwarding with:

echo 1 > /proc/sys/net/ipv6/conf/all/forwarding

and assign addresses and gateway to the hosts. The easiest way to do that is with the radvd daemon, which is like a stateless DHCP for IPv6.

A simple /etc/radvd.conf configuration is the following:

interface eth0
        AdvSendAdvert on;
        MinRtrAdvInterval 3;
        MaxRtrAdvInterval 10;
        AdvHomeAgentFlag off;

        prefix 2001:470:1234:5678::/64
                AdvOnLink on;
                AdvAutonomous on;
                AdvRouterAddr off;

That should be enough to configure a basic IPv6 network, you can find all the scripts on GitHub!

2 Responses to IPv6 Tunnel Broker on GNU/Linux Routers

  1. O'Ray says:

    Nice post!
    You can also try the sixxs tunnel broker because they provide a ready-to-use daemon (named aiccu) that takes care of keeping the tunnel up.
    I used HE + scripts like you in the past but I got some reliability problems (scripts sometimes failed to update the tunnel broker).

    • Hi ‘Ray! Nice to hear from you after such a long time.

      Nice to know, I wasn’t aware of the aiccu utility, looks like a good one. I haven’t got any problem with the HE TB right now, but my connection is pretty reliable so I’ve not stressed the update procedure that much (yet…). In any case, the aiccu approach looks safer than mine, so I’ll try that in the future!


Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

%d bloggers like this: